About me

My name is Andrea Micheli, I am a post-doc
researcher in Artificial Intelligence Planning and
Temporal Reasoning at the Embedded Systems unit in
Fondazione Bruno Kessler.

In the past, I worked in the field of Formal Verification, first as a developer of the NuSMV and
nuXmv model checkers and later in the development of the
KRATOS software model checker.

I currently work on temporal planning in presence of temporal uncertainty and continuous
resources, and I am one of the leaders of the open-source PySMT project.

Research interests

My primary interests include Artificial
Intelligence Planning in
Continuous Domains and Temporal
Reasoning Under Uncertainty. I focused my
research on the study of temporal uncontrollability in
planning and I'm currently developing planning systems
that take into account these aspects while reasoning.

I am also interested in Satisfiablility Modulo
Theory especially in Linear and Non-linear Real
Arithmetic and Quantified Theories
as an enabling technology for my planning research.

I am still involved in the development of NuSMV, hence I am interested in
Formal Verification in general
and Model Checking in particular.

PhD Thesis

My PhD thesis titled "Planning and Scheduling in
Temporally Uncertain Domains" has been successfully
defended at the University of Trento, Italy on January, 19th 2016.

Any form of model-based reasoning is limited by the adherence of the
model to the actual reality. In temporal planning applications,
complex constraints and synchronizations are required, but often the
actual timing of actions is not under direct control of the plan
executor. For this reason, planning models must be able to express
temporal uncertainty to model this lack of control.

In this thesis, we focus on the temporal uncertainty issue in
scheduling and in temporal planning. We first analyze the state of the
art on the subject presenting a rationalization of existing
works. Second we show how Satisfiability Modulo Theory (SMT)
solvers can be exploited to quickly solve different kinds of query in
the realm of scheduling under uncertainty. Finally, we address the
problem of planning in domains featuring real-time constraints and
durations where some of the actions have a duration that is not under
the control of the planning agent.

The first line states that there are 5 time points and 4 constraints
Then, we have one line for each time point declaring its unique name
and whether it is controllable (c) or uncontrollable (u) Then, we have
one line for each constraint in the form N [cf] (TP1 TP2 l
u)+ where

N is the number of disjuncts for this constraints
(always 1 for a STNU)

'c' is for 'contingent' and 'f' stands for
'free'

then we have N
constraints in the form "TP1 TP2 l u" where TP1 and TP2 are time point
names, l can be a float number or '-inf', u can be a float number or
"+inf". The meaning is the constraint TP2 - TP1 \in [l, u]

Planning in real world domains often involves modeling and reasoning about the duration of actions. Temporal planning allows such modeling and reasoning by looking for plans that specify start and end time points for each action. In many practical cases, however, the duration of actions may be uncertain and not under the full control of the executor. For example, a navigation task may take more or less time, depending on external conditions such as terrain or weather.

In this paper, we tackle the problem of strong temporal planning with uncontrollable action durations (STPUD). For actions with uncontrollable durations, the planner is only allowed to choose the start of the actions, while the end is chosen, within known bounds, by the environment. A solution plan must be robust with respect to all uncontrollable action durations, and must achieve the goal on all executions, despite the choices of the environment.

We propose two complementary techniques. First, we discuss a dedicated planning method, that generalizes the state-space temporal planning framework, leveraging SMT-based techniques for temporal networks under uncertainty. Second, we present a compilation-based method, that reduces any STPUD problem to an ordinary temporal planning problem. Moreover, we investigate a set of sufficient conditions to simplify domains by removing some of the uncontrollability.

We implemented both our approaches, and we experimentally evaluated our techniques on a large number of instances. Our results demonstrate the practical applicability of the two techniques, which show complementary behavior.

Many Planning and Scheduling systems are designed assuming that the system under control is able to decide the duration of all the activities being executed. However, in many application scenarios this assumption is not acceptable because the actual timing of actions is not under direct control of the plan executor. Hence, new Planning and Scheduling techniques are needed to deal with this temporal uncertainty explicitly.

In this paper, we summarize and systematize a series of works in which we addressed this uncertainty problem in the realm of temporal network scheduling. We show how Satisfiability Modulo Theory (SMT) solvers can be exploited to quickly solve different kinds of query in this setting. In particular, we focus on the framework of Disjunctive Temporal Networks with Uncertainty and address the three degrees of controllability for the fully-disjunctive class of problems, solving several open problems in the literature and experimentally showing the performance of the developed techniques. Finally, we outline and discuss several foreseeable directions of research in this field.

Temporal planning is an active research area of Artificial
Intelligence because of its many applications ranging from
robotics to logistics and beyond. Traditionally, authors focused
on the automatic synthesis of plans given a formal
representation of the domain and of the problem. However, the
effectiveness of such techniques is limited by the complexity of
the modeling phase: it is hard to produce a correct model for
the planning problem at hand.

In this paper, we present a technique to simplify the creation
of correct models by leveraging formal-verification tools for
automatic validation. We start by using the ANML language, a
very expressive language for temporal planning problems that has
been recently presented. We chose ANML because of its usability
and readability. Then, we present a sound-and-complete, formal
encoding of the language into Linear Temporal Logic over
predicates with infinite-state variables. Thanks to this
reduction, we enable the formal verification of several relevant
properties over the planning problem, providing useful feedback
to the modeler.

Temporal networks are data structures for representing and reasoning
about temporal constraints on activities. Many kinds of temporal
networks have been defined in the literature, differing in their
expressiveness.
The simplest kinds of networks have polynomial algorithms for
determining their temporal consistency or different levels of
controllability, but corresponding algorithms for more expressive
networks (e.g., those that include observation nodes or disjunctive
constraints) have so far been unavailable.

This paper introduces a new approach to determine the dynamic
controllability of a very expressive class of temporal networks that
accommodates observation nodes and disjunctive constraints.
The approach is based on encoding the dynamic controllability problem
into a reachability game for Timed Game
Automata (TGAs).
This is the first sound and complete approach for determining the
dynamic controllability of such networks.
The encoding also highlights the theoretical relationships between
various kinds of temporal networks and TGAs.
The new algorithms have immediate applications in the design and
analysis of workflow models being developed to automate business
processes, including workflows in the health-care domain.

The Temporal Network with Uncertainty (TNU) modeling framework
is used to represent temporal knowledge in presence of
qualitative temporal uncertainty. Dynamic Controllability (DC)
is the problem of deciding the existence of a strategy for
scheduling the controllable time points of the network observing
past happenings only.

In this paper, we address the DC problem for a very general
class of TNU, namely Disjunctive Temporal Network with
Uncertainty. We make the following contributions. First, we
define strategies in the form of an executable language; second,
we propose the first decision procedure to check whether a given
strategy is a solution for the DC problem; third we present an
efficient algorithm for strategy synthesis based on techniques
derived from Timed Games and Satisfiability Modulo Theory. The
experimental evaluation shows that the approach is superior to
the state-of-the-art.

Satisfiability Modulo Theory is increasingly being used as workhorse
in multiple and disparate domains. Several efficient solvers exist
and cross-compatibility is provided by a wide adoption of the
SMT-Lib interface. Nevertheless, there are still some obstacles that
slow down the development of algorithms based on the SMT technology.

First, there is no common programmatic API among different solvers:
a user needs to commit to a specific solver API early in the
development, or implement a text-based interaction via the SMT-Lib
interface, thus losing the ability of exploiting features provided
by solvers that are not part of the SMT-Lib. Second, there is no
high-level SMT API for fast prototyping: a user often needs to
re-implement common routines such as substitution and type-checking.

In this paper, we introduce pySMT, an open-source python library
that provides a solver agnostic interface to define, manipulate and
solve SMT formulae. pySMT leverages the native APIs of solvers (if
available) or their SMT-LIB interface. The library allows the
seamless combination of different solvers and fast prototyping
of complex SMT-based algorithms.

Real world temporal planning often involves dealing with uncertainty
about the duration of actions. In this paper, we describe a
sound-and-complete compilation technique for strong planning that
reduces any planning instance with uncertainty in the duration of
actions to a plain temporal planning problem without uncertainty.

We evaluate our technique by comparing it with a recently-presented
technique for PDDL domains with temporal uncertainty. The
experimental results demonstrate the practical applicability of our
approach and show a complementary behavior with respect to the
previous techniques. We also demonstrate the high expressiveness of
the translation by applying it to a significant fragment of the ANML
language.

This paper describes the XSAP safety analysis
platform. XSAP provides several model-based safety analysis
features for finite- and infinite-state synchronous transition
systems. In particular, it supports library-based definition of
fault modes, an automatic model extension facility, generation of
safety analysis artifacts such as Dynamic Fault Trees (DFTs) and
Failure Mode and Effects Analysis (FMEA) tables. Moreover, it
supports probabilistic evaluation of Fault Trees, failure
propagation analysis using Timed Failure Propagation Graphs
(TFPGs), and Common Cause Analysis (CCA). XSAP has been used in
several industrial projects as verification back-end, and is
currently being evaluated in a joint R&D Project involving FBK and
The Boeing Company.

Real world temporal planning often involves dealing with uncertainty
about the duration of actions. In this paper, we describe a
sound-and-complete compilation technique for strong planning that
reduces any planning instance with uncertainty in the duration of
actions to a plain temporal planning problem without uncertainty.

We evaluate our technique by comparing it with a recently-presented
technique for PDDL domains with temporal uncertainty. The
experimental results demonstrate the practical applicability of our
approach and show a complementary behavior with respect to the
previous techniques. We also demonstrate the high expressiveness of
the translation by applying it to a significant fragment of the ANML
language.

The framework of temporal problems with uncertainty (TPU) is useful
to express temporal constraints over a set of activities subject to
uncertain (and uncontrollable) duration. In this work, we focus on the
most general class of TPU, namely disjunctive TPU (DTPU), and
consider the case of weak controllability, that allows one to model
problems arising in practical scenarios (e.g. on-line scheduling).

We first tackle the decision problem, i.e. whether there exists a
schedule of the activities that, depending on the
uncertainty, satisfies all the constraints. We propose a logical
approach, based on the reduction to a problem of Satisfiability Modulo
Theories (SMT), in the theory of Linear Real Arithmetic with
Quantifiers. This results in the first implemented solver for weak
controllability of DTPUs.

Then, we tackle the problem of synthesizing control strategies for
scheduling the activities. We focus on strategies that are amenable
for efficient execution. We prove that linear strategies are not
always sufficient, even in the sub-case of simple TPU (STPU), while
piecewise-linear strategies, that are multiple conditionally-applied
linear strategies, are always sufficient. We present several
algorithms for the synthesis of linear and piecewise-linear
strategies, in case of STPU and of DTPU.

All the algorithms are implemented on top of SMT solvers. We provide
experimental evidence of the scalability of the proposed techniques,
with dramatic speed-ups in strategy execution compared to on-line
reasoning.

Timed Failure Propagation Graphs (TFPGs) are a formalism used in
industry to describe failure propagation in a dynamic partially
observable system. TFPGs are commonly used to perform model-based
diagnosis.

As in any model-based diagnosis approach, however, the quality of the
diagnosis strongly depends on the quality of the model. Approaches to
certify the quality of the TFPG are limited and mainly rely on
testing. In this work we address this problem by leveraging efficient
Satisfiability Modulo Theories (SMT) engines to perform exhaustive
reasoning on TFPGs.

We apply model-checking techniques to certify that a given TFPG
satisfies (or not) a property of interest. Moreover, we discuss the
problem of refinement and diagnosability testing and empirically show
that our technique can be used to efficiently solve them.

In many practical domains, planning systems are required to reason
about durative actions. A common assumption in the literature is that
the executor is allowed to decide the duration of each
action. However, this assumption may be too restrictive for
applications.

In this paper, we tackle the problem of temporal planning with
uncontrollable action durations. We show how to generate robust plans,
that guarantee goal achievement despite the uncontrollability of the
actual duration of the actions. We extend the state-space temporal
planning framework, integrating recent techniques for solving temporal
problems under uncertainty. We discuss different ways of lifting the
total order plans generated by the heuristic search to partial order
plans, showing (in)completeness results for each of them.

We implemented our approach on top of COLIN, a state-of-the-art
planner. An experimental evaluation over several benchmark problems
shows the practical feasibility of the proposed approach.

Temporal Problems (TPs) represent constraints over the timing of
activities, as arising in many applications such as scheduling and
temporal planning. A TP with uncertainty (TPU) is characterized by
activities with uncontrollable duration. Different classes of TPU are
possible, depending on the Boolean structure of the constraints: we
have simple (STPU), constraint satisfaction (TCSPU), and disjunctive
(DTPU) temporal problems with uncertainty.

In this paper we tackle the problem of strong controllability, i.e.
finding an assignment to all the controllable time points, such that
the constraints are fulfilled under any possible assignment of
uncontrollable time points.

Our approach casts the problem in the framework of Satisfiability
Modulo Theory (SMT), where the uncertainty of durations can be
modeled by means of universal quantifiers. The use of quantifier
elimination techniques leads to quantifier-free encodings, which are
in turn solved with efficient SMT solvers.

We obtain the first practical and comprehensive solution for strong
controllability. We provide a family of efficient encodings, that are
able to exploit the specific structure of the problem. The approach
has been implemented, and experimentally evaluated over a large set of
benchmarks. The results clearly demonstrate that the proposed approach
is feasible, and outperforms the best state-of-the-art competitors,
when available.

This paper describes the nuXmv symbolic model checker for finite- and
infinite-state synchronous transition systems. nuXmv is the
evolution of the NuSMV open source model checker. It builds on and
extends NuSMV along two main directions. For finite-state systems it
complements the basic verification techniques of NuSMV with
state-of-the-art verification algorithms.

For infinite-state systems, it extends the NuSMV language with new
data types, namely Integers and Reals, and it provides advanced
SMT-based model checking techniques.

Besides extended functionalities, nuXmv has been optimized in terms
of performance to be competitive with the state of the art.
nuXmv has been used in several industrial projects as verification
back-end, and it is the basis for several extensions to cope with
requirements analysis, contract based design, model checking of hybrid
systems, safety assessment, and software model checking.

Temporal networks are data structures for representing and reasoning
about temporal constraints on activities. Many kinds of temporal
networks have been defined in the literature, differing in their
expressiveness. The simplest kinds of networks have polynomial
algorithms for determining their consistency or controllability, but
corresponding algorithms for more expressive networks (e.g., those
that include observation nodes or disjunctive constraints) have so far
been unavailable. However, recent work has introduced a new approach
to such algorithms based on translating temporal networks into Timed
Game Automata (TGAs) and then using off-the-shelf software to
synthesize execution strategies - or determine that none exist. So
far, that approach has only been used on Simple Temporal Networks with
Uncertainty, for which polynomial algorithms already exist.

This paper extends the temporal-network-to-TGA approach to accommodate
observation nodes and disjunctive constraints. Insodoing the paper
presents, for the first time, sound and complete algorithms for
checking the dynamic controllability of these more expressive
networks. The translations also highlight the theoretical
relationships between various kinds of temporal networks and the TGA
model. The new algorithms have immediate applications in the workflow
models being developed to automate business processes, including in
the health-care domain.

A Simple Temporal Network with Uncertainty (STNU) is a
structure for representing and reasoning about
temporal constraints in domains where some temporal durations are
not controlled by the executor. The most important property of an
STNU is whether it is dynamically controllable (DC); that is,
whether there exists a strategy for executing the controllable
time-points that guarantees that all constraints will be satisfied
no matter how the uncontrollable durations turn out.

This paper provides a novel mapping from STNUs to Timed Game
Automata (TGAs) that: (1) explicates the deep
theoretical relationships between STNUs and TGAs;
and (2) enables the memoryless strategies generated from the TGA
to be transformed into equivalent STNU execution strategies that
reduce the real-time computational burden for the executor. The
paper formally proves that the STNU-to-TGA encoding properly captures
the execution semantics of STNUs.

Timelines are a formalism to model planning domains where the
temporal aspects are predominant, and have been used in many
real-world applications.
Despite their practical success, a major limitation is the inability
to model temporal uncertainty, i.e. the fact that the plan executor
cannot decide the actual duration of some activities.

In this paper we make two key contributions. First, we propose a
comprehensive, semantically well founded framework that
(conservatively) extends with temporal uncertainty the state of the
art timeline approach.

Second, we focus on the problem of producing time-triggered plans
that are robust with respect to temporal uncertainty, under a
bounded horizon. In this setting, we present the first complete
algorithm, and we show how it can be made practical by leveraging
the power of Satisfiability Modulo Theories.

Many applications, such as scheduling and temporal planning, require
the solution of Temporal Problems (TP's) representing constraints
over the timing of activities. A TP with uncertainty (TPU) is
characterized by activities with uncontrollable duration. Depending on
the Boolean structure of the constraints, we have simple (STPU),
constraint satisfaction (TCSPU), and disjunctive (DTPU) temporal
problems with uncertainty.

In this work we tackle the problem of strong controllability, i.e.
finding an assignment to all the controllable time points, such that
the constraints are fulfilled under any possible assignment of
uncontrollable time points. We work in the framework of Satisfiability
Modulo Theory (SMT), where uncertainty is expressed by means of
universal quantifiers. We obtain the first comprehensive solution to
strong controllability: the use of quantifier elimination techniques
leads to quantifier-free encodings, which are in turn solved with
efficient SMT solvers.

We provide a detailed experimental evaluation of our approach over a
large set of benchmarks. The results clearly demonstrate that the
proposed approach is feasibile, and outperforms the best
state-of-the-art competitors, when available.

Temporal Problems with Uncertainty are a well established formalism to
model time constraints of a system interacting with an uncertain
environment. Several works have addressed the definition and the
solving of Controllability problems, and three degrees of
controllability have been proposed: Weak, Strong, and Dynamic.

In this work we focus on Weak Controllability: we address both the
decision and the strategy extraction problems. Extracting a strategy
means finding a function from assignments to uncontrollable time
points to assignments to controllable time points that fulfills all
the temporal constraints.

We address the two problems in the Satisfiability Modulo Theory
framework. We provide a clean and complete formalization of the
problems, and we propose novel techniques to extract strategies. We
also provide experimental evidence of the scalability and efficiency
of the proposed techniques.

The growing popularity of SystemC has attracted research aimed at the
formal verification of SystemC designs. In this paper we present
KRATOS, a software model checker for SystemC. KRATOS verifies safety
properties, in the form of program assertions, by allowing users to
explore two directions in the verification. First, by relying on the
translation from SystemC designs to sequential C programs, KRATOS is
capable of model checking the resulting C programs using the symbolic
lazy predicate abstraction technique. Second, KRATOS implements a
novel algorithm, called ESST, that combines Explicit state techniques
to deal with the SystemC Scheduler, with Symbolic techniques to deal
with the Threads. KRATOS is built on top of NuSMV and MathSAT, and
uses state-ofthe-art SMT-based techniques for program abstractions and
refinements.

Requirement engineering is one of the most important phases in the
development process of software and systems. In safety-critical
applications, it is important to support the validation of the
requirements with formal techniques to identify and remove
flaws. However, requirements are often written in textual documents
and their formalization and validation is not trivial for non-experts
in formal methods. The goal of the OthelloPlay tool is to support
formalization of textual requirements and to simplify the use of
formal techniques for requirements validation. The tool combines a
formal verification engine and the Microsoft Word editor in a single
and consistent environment. A fundamental key in our design approach
is a plug-in-based architecture, which uses the Python language in
conjunction with a Microsoft Word Add-In. The user can jump between
textual requirements in the Microsoft Word editor and the
corresponding formal requirements model.

SystemC is becoming a de-facto standard for the development
of embedded systems. Verification of SystemC designs
is critical since it can prevent error propagation down to the
hardware. SystemC allows for very efficient simulations before
synthesizing the RTL description, but formal verification is still
at a preliminary stage. Recent works translate SystemC into the
input language of finite-state model checkers, but they abstract
away relevant semantic aspects, and show limited scalability.

In this paper, we approach formal verification of SystemC by
reduction to software model checking. We explore two directions.
First, we rely on a translation from SystemC to a sequential C
program, that contains both the mapping of the SystemC threads
in form of C functions, and the coding of relevant semantic aspects
(e.g. of the SystemC kernel). In terms of verification, this enables
the “off-the-shelf” use of model checking techniques for sequential
software, such as lazy abstraction.

Second, we propose an approach that exploits the intrinsic
structure of SystemC. In particular, each SystemC thread is translated
into a separate sequential program and explored with lazy
abstraction, while the overall verification is orchestrated by the
direct execution of the SystemC scheduler. The technique can be
seen as generalizing lazy abstraction to the case of multi-threaded
software with exclusive threads and cooperative scheduling.

The above approaches have been implemented in a new software
model checker. An experimental evaluation carried out on
several case studies taken from the SystemC distribution and from
the literature demonstrate the potential of the approach.

We present the EuRailCheck tool, which supports the formalization and
the validation of requirements, based on the use of formal
methods. The tool allows the user to analyze the requirements in
natural language and to categorize and structure them. It allows to
formalize the requirements into a subset of UML enriched with static
and temporal constraints for which we defined a formal
semantics. Finally, the tool allows to apply model checking techniques
specialized for the validation of formal requirements.

The tool has been developed and validated within a
project funded by the European Railway Agency for the validation
of the European Train Control System specification.
By now, the tool has been successfully used by about thirty
railway experts of different companies.